About Boot-Start driver sign

allen_zhang · October 6, 2010, 5:46am

Hi,

I try to sign a boot-strart driver, it is the genport, I fix it to boot start and support x64(win7/vista and xp), And then sign it by the follow command,
signtool.exe sign /v /s my /n “MyCompany” /t http://timestamp.verisign.com/scripts/timestamp.dll F:\genport\genport.cat
signtool.exe sign /v /s my /n “MyCompany” /t http://timestamp.verisign.com/scripts/timestamp.dll F:\genport\genport.sys

verify it by the follow command,
signtool verify /kp /v F:\genport\genport.cat %CURDIR%\genport\genport.sys
signtool verify /pa /v F:\genport\genport.sys
signtool verify /kp /v F:\genport\genport.sys

All are success, but It can’t be load when I try to install it, The error message is that “Windows cannot verify the digital signature for the drivers required for this device. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. (Code 52)”.

What’s the reason? Is it about my certification? by the way, It can be loading if StartType set to SERVICE_DEMAND_START with the same sign command.

Allen

allen_zhang · October 6, 2010, 5:47am

Hi,

I try to sign a boot-strart driver, it is the genport, I fix it to boot start and support x64(win7/vista and xp), And then sign it by the follow command,
signtool.exe sign /v /s my /n “MyCompany” /t http://timestamp.verisign.com/scripts/timestamp.dll F:\genport\genport.cat
signtool.exe sign /v /s my /n “MyCompany” /t http://timestamp.verisign.com/scripts/timestamp.dll F:\genport\genport.sys

verify it by the follow command,
signtool verify /kp /v F:\genport\genport.cat F:\genport\genport.sys
signtool verify /pa /v F:\genport\genport.sys
signtool verify /kp /v F:\genport\genport.sys

All are success, but It can’t be load when I try to install it, The error message is that “Windows cannot verify the digital signature for the drivers required for this device. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. (Code 52)”.

What’s the reason? Is it about my certification? by the way, It can be loading if StartType set to SERVICE_DEMAND_START with the same sign command.

Allen

sarbojit_sarkar · October 6, 2010, 5:59am

My guess would be your certificate is not in Trusted publisher list or
Trusted Root Certification Authorities.

run ‘*certmgr.msc*’ cmd and check if your certificate is listed under
Trusted Publisher. If not you have to add it into trusted publisher.

cmd to add your certificate in trusted publisher list and Trusted Root
Certification Authorities list,

*certmgr.exe /add yoursigningcert.cer /s /r localMachine root*
*certmgr.exe /add yoursigningcert.cer /s /r localMachine trustedpublisher**
*

You must have read this doc if not better to read it.
http://www.microsoft.com/whdc/driver/install/drvsign/kmcs-walkthrough.mspx

/sarbojit

On Wed, Oct 6, 2010 at 3:13 PM, wrote:

> Hi,
>
> I try to sign a boot-strart driver, it is the genport, I fix it to boot
> start and support x64(win7/vista and xp), And then sign it by the follow
> command,
> signtool.exe sign /v /s my /n “MyCompany” /t
> http://timestamp.verisign.com/scripts/timestamp.dll F:\genport\genport.cat
> signtool.exe sign /v /s my /n “MyCompany” /t
> http://timestamp.verisign.com/scripts/timestamp.dll F:\genport\genport.sys
>
> verify it by the follow command,
> signtool verify /kp /v F:\genport\genport.cat %CURDIR%\genport\genport.sys
> signtool verify /pa /v F:\genport\genport.sys
> signtool verify /kp /v F:\genport\genport.sys
>
> All are success, but It can’t be load when I try to install it, The error
> message is that “Windows cannot verify the digital signature for the drivers
> required for this device. A recent hardware or software change might have
> installed a file that is signed incorrectly or damaged, or that might be
> malicious software from an unknown source. (Code 52)”.
>
>
> What’s the reason? Is it about my certification? by the way, It can be
> loading if StartType set to SERVICE_DEMAND_START with the same sign command.
>
>
>
> Allen
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

allen_zhang · October 6, 2010, 6:17am

Thank you sarbojit,

I have read the the kmcs-walkthrough.mspx, the follow is my output about verify.

H:>signtool verify /kp /v H:\genport\genport.cat H:\genport\genport.sys
Verifying: H:\genport\genport.cat
Hash of file (sha1): 0CC1F866ABC4330965E90EB67002941CAD984FF7
Signing Certificate Chain:
Issued to: Class 3 Public Primary Certification Authority
Issued by: Class 3 Public Primary Certification Authority
Expires: Wed Aug 02 07:59:59 2028
SHA1 hash: 742C3192E607E424EB4549542BE1BBC53E6174E2
Issued to: VeriSign Class 3 Code Signing 2009-2 CA
Issued by: Class 3 Public Primary Certification Authority
Expires: Tue May 21 07:59:59 2019
SHA1 hash: 12D4872BC3EF019E7E0B6F132480AE29DB5B1CA3
Issued to: MyCompany
Issued by: VeriSign Class 3 Code Signing 2009-2 CA
Expires: MyCertExpiresTime(It’s a valid time,Arp 2011)
SHA1 hash: MySHA1
The signature is timestamped: Wed Oct 06 17:10:03 2010
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: Fri Jan 01 07:59:59 2021
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
Issued to: VeriSign Time Stamping Services CA
Issued by: Thawte Timestamping CA
Expires: Wed Dec 04 07:59:59 2013
SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D
Issued to: VeriSign Time Stamping Services Signer - G2
Issued by: VeriSign Time Stamping Services CA
Expires: Fri Jun 15 07:59:59 2012
SHA1 hash: ADA8AAA643FF7DC38DD40FA4C97AD559FF4846DE

Cross Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 21:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: Class 3 Public Primary Certification Authority
Issued by: Microsoft Code Verification Root
Expires: Tue May 24 01:11:29 2016
SHA1 hash: 58455389CF1D0CD6A08E3CE216F65ADFF7A86408
Issued to: VeriSign Class 3 Code Signing 2009-2 CA
Issued by: Class 3 Public Primary Certification Authority
Expires: Tue May 21 07:59:59 2019
SHA1 hash: 12D4872BC3EF019E7E0B6F132480AE29DB5B1CA3
Issued to: MyCompany
Issued by: VeriSign Class 3 Code Signing 2009-2 CA
Expires: MyCertExpiresTime(It’s a valid time,Arp 2011)
SHA1 hash: MySHA1

the follow is the path.
VeriSign Class 3 Public Primary CA
VeriSign Class 3 Code Signing 2009-2 CA
MyCompany

Thank you

Allen

allen_zhang · October 6, 2010, 6:27am

The follow lies come from “KMCS_Walkthrough.doc”
Boot-Start Drivers
A boot-start driver is one that is loaded by the Windows Vista operating system loader. Boot-start drivers can be identified as follows:
? The driver’s INF file specifies the start type as ?Start=0.?
? A kernel service is configured with a ServiceType of kernel driver or file system driver and has StartMode set to ?boot.?

For optimal system boot performance, a driver package that contains a boot-start driver must be signed in two ways:
? Signed catalog file. A boot-start driver package that is installed by using an INF file must have a signed catalog file, just like other types of drivers. The catalog file is used for signature verification during installation.
? Embedded signature. A boot-start driver’s binary image file must be embedded-signed by using an SPC with a corresponding cross-certificate.

How to Embedded-Sign a Boot-Start Driver
SignTool is used to embedded-sign binary files and catalog files, including test-signing binary image files by using a test certificate. This example uses SignTool to test-sign the Toastpkg sample’s binary file, toaster.sys.
The following command line signs toaster.sys, by using the test certificate that was created in Step 2, Contoso.com(Test). It also adds a timestamp to the digital signature:
Signtool sign /v /s PrivateCertStore /n Contoso.com(Test) /t http://timestamp.verisign.com/scripts/timestamp.dll amd64\toaster.sys

Gary_Little-3 · October 6, 2010, 10:24am

Did you download the proper cross-certificates from Microsoft? Your
information from Verisign should provide a link.

Gary G. Little
H (952) 223-1349
C (952) 454-4629
xxxxx@comcast.net

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@sina.com
Sent: Wednesday, October 06, 2010 4:45 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] About Boot-Start driver sign

Hi,

I try to sign a boot-strart driver, it is the genport, I fix it to boot
start and support x64(win7/vista and xp), And then sign it by the follow
command, signtool.exe sign /v /s my /n “MyCompany” /t
http://timestamp.verisign.com/scripts/timestamp.dll F:\genport\genport.cat
signtool.exe sign /v /s my /n “MyCompany” /t
http://timestamp.verisign.com/scripts/timestamp.dll F:\genport\genport.sys

verify it by the follow command,
signtool verify /kp /v F:\genport\genport.cat F:\genport\genport.sys
signtool verify /pa /v F:\genport\genport.sys signtool verify /kp /v
F:\genport\genport.sys

All are success, but It can’t be load when I try to install it, The error
message is that “Windows cannot verify the digital signature for the drivers
required for this device. A recent hardware or software change might have
installed a file that is signed incorrectly or damaged, or that might be
malicious software from an unknown source. (Code 52)”.

What’s the reason? Is it about my certification? by the way, It can be
loading if StartType set to SERVICE_DEMAND_START with the same sign command.

Allen

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · October 6, 2010, 11:09am

I looked at all the messages on this thread as of about 7:30 AM PDT, and my conclusion from the presented evidence is that either (1) your catalog file does not contain all of the files the INF says are a part of the driver package [e.g. you have files in CopyFiles somewhere that are not cataloged], or (2) you changed one of the files in the package AFTER you created the catalog. That actually is what that particular message is trying to tell you, for that matter.

There’s more to it than having the proper certificate, you also have to use it to sign a complete catalog of every file in the package in the form they will be installed. Finally, one common error I see people make (particularly if they do it themselves, which I am not arguing against, because I don’t use INF2CAT either) is they either don’t catalog the INF file itself, OR they change it after they’ve cataloged it.

-----Original Message-----
Sent: Wednesday, October 06, 2010 2:45 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] About Boot-Start driver sign

Hi,

I try to sign a boot-strart driver, it is the genport, I fix it to boot start and support x64(win7/vista and xp), And then sign it by the follow command, signtool.exe sign /v /s my /n “MyCompany” /t http://timestamp.verisign.com/scripts/timestamp.dll F:\genport\genport.cat signtool.exe sign /v /s my /n “MyCompany” /t http://timestamp.verisign.com/scripts/timestamp.dll F:\genport\genport.sys

verify it by the follow command,
signtool verify /kp /v F:\genport\genport.cat F:\genport\genport.sys signtool verify /pa /v F:\genport\genport.sys signtool verify /kp /v F:\genport\genport.sys

All are success, but It can’t be load when I try to install it, The error message is that “Windows cannot verify the digital signature for the drivers required for this device. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. (Code 52)”.

What’s the reason? Is it about my certification? by the way, It can be loading if StartType set to SERVICE_DEMAND_START with the same sign command.

Allen

Tim_Roberts · October 6, 2010, 1:22pm

xxxxx@sina.com wrote:

I try to sign a boot-strart driver, it is the genport, I fix it to boot start and support x64(win7/vista and xp), And then sign it by the follow command,
signtool.exe sign /v /s my /n “MyCompany” /t http://timestamp.verisign.com/scripts/timestamp.dll F:\genport\genport.cat
signtool.exe sign /v /s my /n “MyCompany” /t http://timestamp.verisign.com/scripts/timestamp.dll F:\genport\genport.sys

Did you do it in exactly that order? If so, that was silly. The CAT
file includes a checksum of all of the files in your package. When you
sign the SYS file, you change it, which invalidates the checksum. Sign
the SYS, then build the CAT, then sign the CAT.

By the way, what you’re doing here will NOT work for KMCS on a 64-bit
system, because you are not specifying the cross-certificate.

Why does “genport” need to be a boot-start driver? It’s a generic
service that allows user-mode apps to access I/O ports, but user-mode
apps don’t run at boot.

What’s the reason? Is it about my certification? by the way, It can be loading if StartType set to SERVICE_DEMAND_START with the same sign command.

With SERVICE_DEMAND_START, the driver isn’t loaded until you do a “net
start”.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Mark_Roddy · October 6, 2010, 4:45pm

I don’t think that actually matters. You can binary sign the exe or
sys file after the cat file and that just works, for reasons I no
longer care to remember.

I could be wrong, however I just looked at my build system and that is
exactly the order of operations and everything is all blessed and
kosher on win7 x64 systems.

Mark Roddy

On Wed, Oct 6, 2010 at 1:21 PM, Tim Roberts wrote:
> ?xxxxx@sina.com wrote:
>> I try to sign a boot-strart driver, it is the genport, I fix it to boot start and support x64(win7/vista and xp), And then sign it by the follow command,
>> signtool.exe sign /v /s my /n “MyCompany” /t http://timestamp.verisign.com/scripts/timestamp.dll F:\genport\genport.cat
>> signtool.exe sign /v /s my /n “MyCompany” /t http://timestamp.verisign.com/scripts/timestamp.dll F:\genport\genport.sys
>
> Did you do it in exactly that order? ?If so, that was silly. ?The CAT
> file includes a checksum of all of the files in your package. ?When you
> sign the SYS file, you change it, which invalidates the checksum. ?Sign
> the SYS, then build the CAT, then sign the CAT.
>
> By the way, what you’re doing here will NOT work for KMCS on a 64-bit
> system, because you are not specifying the cross-certificate.
>
> Why does “genport” need to be a boot-start driver? ?It’s a generic
> service that allows user-mode apps to access I/O ports, but user-mode
> apps don’t run at boot.
>
>> What’s the reason? Is it about my certification? by the way, It can be loading if StartType set to SERVICE_DEMAND_START with the same sign command.
>
> With SERVICE_DEMAND_START, the driver isn’t loaded until you do a “net
> start”.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>

OSR_Community_User · October 6, 2010, 5:04pm

I was about to say the same thing- in my case, I know why but not knowing what I can or can’t say about it will opt to say nothing at all useful to anyone beyond the order not mattering.

-----Original Message-----
From: Mark Roddy
Sent: Wednesday, October 06, 2010 1:45 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] About Boot-Start driver sign

I don’t think that actually matters. You can binary sign the exe or sys file after the cat file and that just works, for reasons I no longer care to remember.

I could be wrong, however I just looked at my build system and that is exactly the order of operations and everything is all blessed and kosher on win7 x64 systems.

Mark Roddy

J_J_Farrell · October 6, 2010, 9:02pm

… though doing it in what’s obviously the “right” order saves later
having to remember (or, for someone else, having to discover) that it’s
OK to do it in the “wrong” order. Avoids that frustrating five minutes
going from the joy of “yes, that must be it” to the despair of “oh, I
remember now” …

Bob Kjelgaard wrote:

I was about to say the same thing- in my case, I know why but not knowing what I can or can’t say about it will opt to say nothing at all useful to anyone beyond the order not mattering.

-----Original Message-----
From: Mark Roddy
Sent: Wednesday, October 06, 2010 1:45 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] About Boot-Start driver sign

I don’t think that actually matters. You can binary sign the exe or sys file after the cat file and that just works, for reasons I no longer care to remember.

I could be wrong, however I just looked at my build system and that is exactly the order of operations and everything is all blessed and kosher on win7 x64 systems.

Mark Roddy

OSR_Community_User · October 6, 2010, 9:17pm

> Avoids that frustrating five minutes going from the joy of

“yes, that must be it” to the despair of “oh, I remember now”

+1. I nominate that gem for post of the week, thank you.

allen_zhang · October 9, 2010, 9:18am

Thank you all,

Thank you Bob Kjelgaard,
Yes, I haven’t include WdfCoInstaller.dll. I’ll try it again.

allen_zhang · October 9, 2010, 10:16pm

Bob Kjelgaard
I have check it with the old version inf file, It comes from XP DDK(Build 3790), The same issue be found.

Gary Little
I have download the cross-certificates from Microsoft. If I don’t download it, “signtool verify” will be failed .

Tim Roberts
The follow commands be execulated one by one.
1, Inf2Cat /driver:F:\genport /os:7_X64,XP_X64,Vista_X64
2, signtool.exe sign /v /s my /n “MyCompany” /t http://timestamp.verisign.com/scripts/timestamp.dll F:\genport\genport.cat
3, signtool.exe sign /v /s my /n “MyCompany” /t
http://timestamp.verisign.com/scripts/timestamp.dll F:\genport\genport.sys
4, signtool verify /kp /v F:\genport\genport.cat F:\genport\genport.sys
5, signtool verify /pa /v F:\genport\genport.sys
6, signtool verify /kp /v F:\genport\genport.sys
All commands are execulated successfully.

Did you do it in exactly that order? If so, that was silly. The CAT
file includes a checksum of all of the files in your package. When you
sign the SYS file, you change it, which invalidates the checksum. Sign
the SYS, then build the CAT, then sign the CAT.
I have re-signed it after building it, So the checksum will be valid.

Why does “genport” need to be a boot-start driver? It’s a generic
service that allows user-mode apps to access I/O ports, but user-mode
apps don’t run at boot.
I do it only for testing,

Bob Kjelgaard,
Do you have the same issue? Could you tell me how to do slove it? Thank you.

OSR_Community_User · October 10, 2010, 1:50am

Your line 3 to Tim with the command signtool is not giving a cross-cert. The
kernel signature will be invalid without this. It will NOT work to put the
cross-cert in the certificate store.

Jan

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-427320-
xxxxx@lists.osr.com] On Behalf Of xxxxx@sina.com
Sent: Saturday, October 09, 2010 7:16 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] About Boot-Start driver sign

Bob Kjelgaard
I have check it with the old version inf file, It comes from XP DDK(Build
3790),
The same issue be found.

Gary Little
I have download the cross-certificates from Microsoft. If I don’t download
it,
“signtool verify” will be failed .

Tim Roberts
The follow commands be execulated one by one.
1, Inf2Cat /driver:F:\genport /os:7_X64,XP_X64,Vista_X64 2, signtool.exe
sign
/v /s my /n “MyCompany” /t
http://timestamp.verisign.com/scripts/timestamp.dll F:\genport\genport.cat
3, signtool.exe sign /v /s my /n “MyCompany” /t
http://timestamp.verisign.com/scripts/timestamp.dll
F:\genport\genport.sys 4, signtool verify /kp /v F:\genport\genport.cat
F:\genport\genport.sys 5, signtool verify /pa /v F:\genport\genport.sys 6,
signtool verify /kp /v F:\genport\genport.sys All commands are execulated
successfully.

>Did you do it in exactly that order? If so, that was silly. The CAT
>file includes a checksum of all of the files in your package. When you
>sign the SYS file, you change it, which invalidates the checksum. Sign
>the SYS, then build the CAT, then sign the CAT.
I have re-signed it after building it, So the checksum will be valid.

>Why does “genport” need to be a boot-start driver? It’s a generic
>service that allows user-mode apps to access I/O ports, but user-mode
>apps don’t run at boot.
I do it only for testing,

Bob Kjelgaard,
Do you have the same issue? Could you tell me how to do slove it? Thank
you.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer